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Abstract. The reachability problem for timed automata asks if there 
exists a path from an initial state to a target state. The standard solution 
to this problem involves computing the zone graph of the automaton, 
which in principle could be infinite. In order to make the graph finite, 
zones are approximated using an extrapolation operator. For reasons of 
efficiency in current algorithms extrapolation of a zone is always a zone; 
and in particular it is convex. 

In this paper, we propose to solve the reachability problem without such 
extrapolation operators. To ensure termination, we provide an efficient 
algorithm to check if a zone is included in the so called region closure 
of another. Although theoretically better, closure cannot be used in the 
standard algorithm since a closure of a zone may not be convex. 
An additional benefit of the proposed approach is that it permits to 
calculate approximating parameters on-the-fly during exploration of the 
zone graph, as opposed to the current methods which do it by a static 
analysis of the automaton prior to the exploration. This allows for fur- 
ther improvements in the algorithm. Promising experimental results are 
presented. 

1 Introduction 

Timed automata [1] are obtained from finite automata by adding clocks that can 
be reset and whose values can be compared with constants. The crucial property 
of timed automata is that their reachability problem is decidable: one can check 
if a given target state is reachable from the initial state. Reachability algorithms 
are at the core of verification tools like Uppaal [4] or RED [16], and are used 
in industrial case studies [11,6]. The standard solution constructs a search tree 
whose nodes are approximations of zones. In this paper we give an efficient 
algorithm for checking if a zone is included in an approximation of another zone. 
This enables a reachability algorithm to work with search trees whose nodes are 
just unapproximated zones. This has numerous advantages: one can use non- 
convex approximations, and one can compute approximating parameters on the 
fly. 

The first solution to the reachability problem has used regions, which are 
equivalence classes of clock valuations. Subsequent research has shown that the 
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region abstraction is very inefficient and an other method using zones instead of 
regions has been proposed. This can be implemented efficiently using DBMs [10] 
and is used at present in almost all timed-verification tools. The number of 
reachable zones can be infinite, so one needs an abstraction operator to get 
a finite approximation. The simplest is to approximate a zone with the set of 
regions it intersects, the so called closure of a zone. Unfortunately, the closure 
may not always be convex and no efficient representation of closures is known. 
For this reason implementations use another convex approximation that is also 
based on (refined) regions. 

We propose a new algorithm for the reachability problem using closures of 
zones. To this effect we provide an efficient algorithm for checking whether a 
zone is included in a closure of another zone. In consequence we can work with 
non-convex approximations without a need to store them explicitly. 

Thresholds for approximations are very important for efficient implemen- 
tation. Good thresholds give substantial gains in time and space. The simplest 
approach is to take as a threshold the maximal constant appearing in a transition 
of the automaton. A considerable gain in efficiency can be obtained by analyz- 
ing the graph of the automaton and calculating thresholds specific for each clock 
and state of the automaton [2] . An even more efficient approach is the so called 
LU-approximation that distinguishes between upper and lower bounds [3]. This 
is the method used in the current implementation of UPPAAL. We show that 
we can accommodate closure on top of the LU-approximation at no extra cost. 

Since our algorithm never stores approximations, we can compute thresholds 
on-the-fly. This means that our computation of thresholds does not take into 
account unreachable states. In consequence in some cases we get much better 
LU-thresholds than those obtained by static analysis. This happens in particular 
in a very common context of analysis of parallel compositions of timed automata. 

Related work 

The topic of this paper is approximation of zones and efficient handling of them. 
We show that it is possible to use non-convex approximations and that it can be 
done efficiently. In particular, we improve on state of the art approximations [3] . 
Every forward algorithm needs approximations, so our work can apply to tools 
like RED or UPPAAL. 

Recent work [15] reports on backward analysis approach using general linear 
constraints. This approach does not use approximations and relies on SMT solver 
to simplify the constraints. Comparing forward and backward methods would 
require a substantial test suite, and is not the subject of this paper. 

Organization of the paper 

The next section presents the basic notions and recalls some of their properties. 
Section 3 describes the new algorithm for efficient inclusion test between a zone 
and a closure of another zone. The algorithm constructing the search tree and 
calculating approximations on-the-fly is presented in Section 4. Some results 
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obtained with a prototype implementation are presented in the last section. All 
missing proofs are presented in the full version of the paper [13]. 

2 Preliminaries 

2.1 Timed automata and the reachability problem 

Let A be a set of clocks, i.e., variables that range over R> , the set of non- 
negative real numbers. A clock constraint is a conjunction of constraints for 
x e A, # e {<, <, =, >, >} and c e N, e.g. (x < 3 A y > 0). Let ${X) denote 
the set of clock constraints over clock variables X. A clock valuation over A is a 
function v : X — > K>o- We denote R> the set of clock valuations over A, and 
the valuation that associates to every clock in A. We write v 1= (j> when v 
satisfies € ^(A), i.e. when every constraint in <j> holds after replacing every x 
by v(x). For 6 <G M>o, let v + 8 be the valuation that associates v(x) + 5 to every 
clock x. For R C A, let be the valuation that sets x to if x € i?, and that 
sets .t to v(x) otherwise. 

A Timed Automaton (TA ) is a tuple .4 = (Q, A, T, Ace) where Q is a finite 
set of states, go G Q is t ne initial state, A is a finite set of clocks, Acc C Q is a 
set of accepting states, and T <Z Q x <£(A) x 2 X x Q is a finite set of transitions 
(q, g, R, q') where g is a guard, and R is the set of clocks that are reset on the 
transition. An example of a TA is depicted in Figure 1. The class of TA we 
consider is commonly known as diagonal-free TA since clock comparisons like 
x — y < 1 are disallowed. Notice that since we are interested in state reachability, 
considering timed automata without state invariants does not entail any loss of 
generality. Indeed, state invariants can be added to guards, then removed, while 
preserving state reachability. 

A configuration of A is a pair (q, v) € Q x M> ; (qo,0) is the initial con- 
figuration. We write (q, v) -*^> (q',v') if there exists 5 G M>o and a transi- 
tion t = (q,g,R,q') in A such that v + 6 \= g, and v' = [R\v. Then (q' ,v') 
is called a successor of (q, v). A run of A is a finite sequence of transitions: 

(<7o, "o) (qi, v\) ■ ■ ■ (<?«, v n ) starting from (q , v ) = (q ,0). 

A run is accepting if it ends in a configuration (g„,^„) with q n £ Acc. The 
reachability problem is to decide whether a given automaton has an accepting 
run. This problem is known to be PsPACE-complete [1,8]. 

2.2 Symbolic semantics for timed automata 

The reachability problem is solved using so-called symbolic semantics. It con- 
siders sets of (uncountably many) valuations instead of valuations separately. A 
zone is a set of valuations defined by a conjunction of two kinds of constraints: 
comparison of difference between two clocks with an integer like x — y#c, or com- 
parison of a single clock with an integer like x#c, where # e {<, <,=, >, >} 
and c€N. For instance (x — y > 1) A (y < 2) is a zone. The transition relation 

on valuations is transferred to zones as follows. We have (q, Z) A (q', Z') if Z' is 
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the set of valuations v' such that (q, v) (q 1 , v') for some ceZ and S e M>o- 
The node (q 1 , Z') is called a successor of (q, Z). It can be checked that if Z is a 
zone, then Z' is also a zone. 

The zone graph oiA, denoted ZG(A), has nodes of the form (q, Z) with initial 
node (<7o,{0}), and edges defined as above. Immediately from the definition of 
ZG(A) we infer that A has an accepting run iff there is a node (q, Z) reachable 
in ZG{A) with q £ Acc. 

Now, every node (q, Z) has finitely many successors: at most one successor 
of (q, Z) per transition in A. Still a reachability algorithm may not terminate as 
the number of reachable nodes in ZG(A) may not be finite [9] . The next step is 
thus to define an abstract semantics of A as a finite graph. The basic idea is to 
define a finite partition of the set of valuations K> . Then, instead of considering 
nodes (q, S) with set of valuations S (e.g. zones Z), one considers a union of the 
parts of 1R> that intersect S. This gives the finite abstraction. 

Let us consider a bound junction associating to each clock x of A a bound 
a x G N. A region [1] with respect to a is the set of valuations specified as follows: 

1. for each clock x € X, one constraint from the set: 

{x = c | c = 0, . . . , a x } U {c — 1 < x < c | c = 1, . . . , a x } U {x > a x } 

2. for each pair of clocks x, y having interval constraints: c — 1 < x < c and 
d — 1 < y < d, it is specified if fract(x) is less than, equal to or greater than 
fract(y). 

It can be checked that the set of regions is a finite partition of M> . 

The closure abstraction of a set of valuations S, denoted Closure a (S), is the 
union of the regions that intersect S [7]. A simulation graph, denoted SG a (A), 
has nodes of the form (q, S) where q is a state of A and S C R^ is a set of 

valuations. The initial node of SG a (A) is (q a ,{0}). There is an edge (q, S) A 

(q' ', Closure a (S')) in SG a (A) iff 5" is the set of valuations v' such that (q, v) 
(q 1 for some v e S and 6 e M>o- Notice that the reachable part of SG a (A) 
is finite since the number of regions is finite. 

The definition of the graph SG a (A) is parametrized by a bound function 
a. It is well-known that if we take associating to each clock x the maximal 
integer c such that x#c appears in some guard of A then SG a (A) preserves the 
reachability properties. 

Theorem 1. [7] A has an accepting run iff there is a reachable node (q, S) in 
SG a (A) with q € Acc and a a < ct. 

For efficiency it is important to have a good bound function a. The nodes of 
SG a (A) are unions of regions. Hence the size of SG a (A) depends on the number 
of regions which is 0(\X\!.2\ x \.]] xeX (2.a x +2)) [1]. It follows that smaller values 
for a yield a coarser, hence smaller, symbolic graph SG a (A). Note that current 
implementations do not use closure but some convex under-approximation of it 
that makes the graph even bigger. 

It has been observed in [2] that instead of considering a global bound func- 
tion aj\_ for all states in A, one can use different functions in each state of the 
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y > 5, x := 




y> 10' 



Fig. 1. Timed automaton .4. 

automaton. Consider for instance the automaton .4 in Figure 1. Looking at the 
guards, we get that a x = 14 and a y = 10 6 . Yet, a closer look at the automaton 
reveals that in the state qi it is enough to take the bound a y {q2) = 5. This ob- 
servation from [2] points out that one can often get very big gains by associating 
a bound function a(q) to each state q in A that is later used for the abstraction 
of nodes of the form (q, Closure a ( q )(S))- In op. cit. an algorithm for inferring 
bounds based on static analysis of the structure of the automaton is proposed. 
In Section 4.2 we will show how to calculate these bounds on-the-fly during the 
exploration of the automaton's state space. 

3 Efficient testing of inclusion in a closure of a zone 

The tests of the form Z C Closure a (Z') will be at the core of the new algo- 
rithm we propose. This is an important difference with respect to the standard 
algorithm that makes the tests of the form Z C Z' . The latter tests are done in 
C(|X| 2 ) time, where |X| is the number of clocks. We present in this section a 
simple algorithm that can do the tests Z C Closure a (Z') at the same complexity 
with neither the need to represent nor to compute the closure. 

We start by examining the question as to how one decides if a region R 
intersects a zone Z. The important point is that it is enough to verify that the 
projection on every pair of variables is nonempty. This is the cornerstone for the 
efficient inclusion testing algorithm that even extends to LU-approximations. 

3.1 When is R n Z empty 

It will be very convenient to represent zones by distance graphs. Such a graph 
has clocks as vertices, with an additional special clock xq representing constant 
0. For readability, we will often write instead of x . Between every two vertices 
there is an edge with a weight of the form (=<;, c) where ceZU {°°} an d =^ is 

cither < or <. An edge x y represents a constraint y — x =4 c: or in words, 
the distance from x to y is bounded by c. Let [G] be the set of valuations of 
clock variables satisfying all the constraints given by the edges of G with the 
restriction that the value of x is 0. 

An arithmetic over the weights (=4,c) can be defined as follows [5]. 

Equality (=4i,Ci) = (=^2,02) if C\ = c 2 and 4i=42- 
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Addition (=4i, c\) + (=^2, c-2) = (=^ ; ci + C2) where =^=< iff either =<Ii or =^2 is <• 
Minus ~{=4,c) = {=4,-c). 

Order (=^i,ci) < (=^2,22) if either c\ < c 2 or (ci = c 2 and =^i=< and =^2=<)- 
Floor [(<, c)J = (<,c - 1) and [(<, c)J = (<, c). 

This arithmetic lets us talk about the weight of a path as a weight of the sum 
of its edges. A cycle in a distance graph G is said to be negative if the sum of 
the weights of its edges is at most (<,0); otherwise the cycle is positive. The 
following useful proposition is folklore. 

Proposition 1. A distance graph G has only positive cycles iff [G] 7^ 0. 

A distance graph is in canonical form if the weight of the edge from x to y is 
the lower bound of the weights of paths from x to y. A distance graph of a region 
R, denoted Gr 1 is the canonical graph representing all the constraints defining 
R. Similarly Gz for a zone Z. 

We can now state a necessary and sufficient condition for the intersection 
R n Z to be empty in terms of cycles in distance graphs. We denote by R xy the 

weight of the edge x ~"* v x "> y in the canonical distance graph representing R. 
Similarly for Z. 

Proposition 2. Let R be a region and let Z be a zone. The intersection RO Z 
is empty iff there exist variables x, y such that Z yx + R xy < (<, 0). 

A variant of this fact has been proven as an intermediate step of Proposition 2 
in [7]. 

3.2 Efficient inclusion testing 

Our goal is to efficiently perform the test Z C Closure(Z') for two zones Z and 
Z' . We are aiming at C(|A| 2 ) complexity, since this is the complexity of current 
algorithms used for checking inclusion of two zones. Proposition 2 can be used 
to efficiently test the inclusion R C Closure(Z'). It remains to understand what 
are the regions intersecting the zone Z and then to consider all possible cases. 
The next lemma basically says that every consistent instantiation of an edge in 
Gz leads to a region intersecting Z. 

Lemma 1. Let G be a distance graph in canonical form, with all cycles positive. 
Let x,y be two variables, and let x ^^LJ; V y an & y ^-^lj^^ x ^ e e dges in G. For 
every del such that d =4 xy c xy and —d =4 yx c yx there exists a valuation v e [G] 
with v(y) — v(x) = d. 

Thanks to this lemma it is enough to look at edges of Gz one by one to see what 
regions we can get. This insight is used to get the desired efficient inclusion test 

Theorem 2. Let Z,Z' be zones. Then, Z Closure a (Z') iff there exist vari- 
ables x, y, both different from x , such that one of the following conditions hold: 

1. Z' Qx < Z 0x and Z' 0x < {<,a x ), or 

2. Z' xa < Z xQ and Z x0 > (<, -a x ), or 

3- Z xQ > (<, -a x ) and Z' xy < Z xy and Z' xy < (<, a y ) + [Z x0 \ . 
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Comparison with the algorithm for Z C Z' Given two zones Z and Z', 
the procedure for checking Z C Z' works on two graphs Gz and Gz> that are 
in canonical form. This form reduces the inclusion test to comparing the edges 
of the graphs one by one. Note that our algorithm for Z C Closure a (Z') does 
not do worse. It works on Gz and Gz 1 too. The edge by edge checks are only 
marginally more complicated. The overall procedure is still C(|X| 2 ). 

3.3 Handling LU-approximation 

In [3] the authors propose to distinguish between maximal constants used in 
upper and lower bounds comparisons: for each clock x, L x G NU{— oo} represents 
the maximal constant c such that there exists a constraint x>corx>cina 
guard of a transition in the automaton; dually, U x € N U {— oo} represents the 
maximal constant c such that there is a constraint x<corx<cina guard 
of a transition. If such a c does not exist, then it is considered to be — oo. They 
have introduced an extrapolation operator Extra\ jU {Z) that takes into account 
this information. This is probably the best presently known convex abstraction 
of zones. 

We now explain how to extend our inclusion test to handle LU approxima- 
tion, namely given Z and Z 1 how to directly check Z C Closure a (Extra~^ u (Z')) 
efficiently. Observe that for each x, the maximal constant a x is the maximum 
of L x and U x . In the sequel, this is denoted Z C Closure^ u {Z'). For this we 
need to understand first when a region intersecting Z intersects Extra\ jU {Z'). 
Therefore, we study the conditions that a region R should satisfy if it intersects 
Extral v {Z) for a zone Z. 

We recall the definition given in [3] that has originally been presented using 
difference bound matrices (DBM). In a DBM (cy, -<%,j) stands for x,— Xj -<ij Cij. 

j ■ c ■ ■ 

In the language of distance graphs, this corresponds to an edge Xj '-^-4 ,J 
hence to Zji in our notation. Let Z + denote Extra\ u {Z) and G z + its distance 
graph. We have: 



From this definition it will be important for us to note that G z + is Gz with 
some weights put to (<, oo) and some weights on the edges to x put to (<, —U x ). 
Note that Extra~^ u (Z') is not in the canonical form. If we put Extra~^ u (Z') into 
the canonical form then we could just use Theorem 2. We cannot afford to do 
this since canonization can take cubic time [5]. The following theorem implies 
that we can do the test without canonizing Extra\ u {Z'). Hence we can get a 
simple quadratic test also in this case. 

Theorem 3. Let Z,Z' be zones. Let Z' + denote Extra\ u {Z') obtained from 
Z' using Equation 1 for each edge. Note that Z' + is not necessarily in canonical 




if Z X y > (<, Ly) 

if - Z y0 > (<,Ly) 

if -Z x0 > (<,U x ),y^0 
if -Z x0 > (<,U x ),y = 



otherwise. 



(1) 
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form. Then, we get that Z <£. Closure a {Z l+ ) iff there exist variables x, y different 
form xq such that one of the following conditions hold: 

x and Zq^ < (f^f^x)? or 
2. Z' x \ < Z x0 and Z x0 > (<, -a x ), or 

3- Z x0 > (<, -a x ) and Z' x + < Z xy and Z' x + < (<,a y ) + [Z x0 \ . 
4 A New Algorithm for Reachability 

Our goal is to decide if a final state of a given timed automaton is reachable. We 
do it by computing a finite prefix of the reachability tree of the zone graph ZG(A) 
that is sufficient to solve the reachability problem. Finiteness is ensured by not 
exploring a node (q, Z) if there exists a (q, Z') such that Z C Closure a (Z'), for 
a suitable a. We will first describe a simple algorithm based on the closure and 
then we will address the issue of finding tighter bounds for the clock values. 

4.1 The basic algorithm 

Given a timed automaton A we first calculate the bound function as de- 
scribed just before Theorem 1. Each node in the tree that we compute is of the 
form (q, Z), where q is a state of the automaton, and Z is an unapproximated 
zone. The root node is (qo, Z ), which is the initial node of ZG(A). The algorithm 
performs a depth first search: at a node (q, Z), a transition t = (q, g, r, q') not yet 
considered for exploration is picked and the successor {q' , Z') is computed where 

(q, Z) A (q',Z') in ZG(A). If q' is a final state and Z' is not empty then the 
algorithm terminates. Otherwise the search continues from (g', Z') unless there 
is already a node (q',Z") with Z' C Closure aA (Z") in the current tree. 

The correctness of the algorithm is straightforward. It follows from the fact 
that if Z' C Closure aA (Z") then all the states reachable from (q' , Z') are reach- 
able from (q' , Z") and hence it is not necessary to explore the tree from (q' , Z'). 
Termination of the algorithm is ensured since there are finitely many sets of the 
form Closure aA {Z). Indeed, the algorithm will construct a prefix of the reacha- 
bility tree of SG a {A) as described in Theorem 1. 

The above algorithm does not use the classical extrapolation operator named 
Extra'lf in [3] and Extra+ hereafter, but the coarser Closure a operator [7]. This 
is possible since the algorithm does not need to represent Closure a (Z), which is 
in general not a zone. Instead of storing Closure a {Z) the algorithm just stores 
Z and performs tests Z C Closure a {Z') each time it is needed (in contrast to 
Algorithm 2 in [7]). This is as efficient as testing Z C Z' thanks to the algorithm 
presented in the previous section. 

Since Closure^ is a coarser abstraction, this simple algorithm already covers 
some of the optimizations of the standard algorithm. For example the Extra^(Z) 
abstraction proposed in [3] is subsumed since Extra^(Z) C Closure a (Z) for any 
zone Z [7,3]. Other important optimizations of the standard algorithm concern 
finer computation of bounding functions a. We now show that the structure of 
the proposed algorithm allows to improve this too. 
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Listing 1.1. Reachability algorithm 
with on-the-fiy bound computation 
and non-convex abstraction. 

1 function main(): 

2 push((qo, Zq, e*o), stack) 

3 while (stack ^ 0) do 

4 (q, Z. a) :— top(stack): pop(stack) 

5 cxplorc(g, Z, a) 

6 rcsolve() 

7 return "empty" 

8 

9 function cxplorc(g, Z, a): 

10 if (q is accepting) 

11 exit "not empty" 

12 if (3 (g, Z , a ) nontcntative 

13 and s.t. Z C Closure a i (Z )) 

14 mark (g, Z, a) tentative wrt (g, Z , a') 

15 a :— a'; propagatc(parenr.(g, Z. a)) 

16 else 

17 propagatc(g, Z, a) 

18 for each (g s ,Z s ,a s ) in children(q, Z , a) do 

4.2 Computing clock bounds on-the-fiy 

We can improve on the idea of Behrmann et al. [2] of computing a bound function 
a q for each state q. We will compute these bounding functions on-the-fly and they 
will depend also on a zone and not just a state. An obvious gain is that we will 
never consider constraints coming from unreachable transitions. We comment 
more on advantages of this approach in Section 5. 

Our modified algorithm is given in Figure 1.1. It computes a tree whose 
nodes are triples (q, Z, a) where (q, Z) is a node of ZG(A) and a is a bound 
function. Each node (q,Z,a) has as many child nodes {q a ,Z Sl a s ) as there are 
successors (q s , Z s ) of (q, Z) in ZG{A). Notice that this includes successors with 
an empty zone Z S1 which are however not further unfolded. These nodes must 
be included for correctness of our constant propagation procedure. By default 
bound functions map each clock to — oo. They are later updated as explained 
below. Each node is further marked either tentative or nontentative. The leaf 
nodes (q, 2J, a) of the tree are either deadlock nodes (either there is no transition 
out of state q or Z is empty), or tentative nodes. All the other nodes are marked 
nontentative. 

Our algorithm starts from the root node (qo, Zo,cto), consisting of the initial 
state, initial zone, and the function mapping each clock to — oo. It repeatedly 
alternates an exploration and a resolution phase as described below. 

Exploration phase Before exploring a node n — (q, Z, a) the function explore 
checks if q is accepting and Z is not empty; if it is so then A has an accepting 
run. Otherwise the algorithm checks if there exists a nontentative node n' = 
(q',Z',a') in the current tree such that q = q' and Z C Closure a >{Z'). If yes, 
n becomes a tentative node and its exploration is temporarily stopped as each 
state reachable from n is also reachable from n' . If none of these holds, the 



9 if (Z a ± 0) 

10 cxplorc(t/ s , Z B , a s ) 
n 

',2 function resolveQ: 

:3 for each (q. Z, a) tentative wrt (q, Z', a') do 

!4 if (Z £ Closure a i(Z')) 

15 mark (g, Z. a) nontentative 

;6 a :— -co; propagate(parent(g, Z, a)) 

17 push((g, Z, a), stack) 

!8 

;9 function propagate^, Z, a): 

,o a :— max R maxedge(g, _R, a') 

(9,Z,a)-^-K«',Z',a') 

.1 if (a has changed) 

.2 for each (q f ,Z t ,a £ ) tentative wrt (q, Z, a) do 

,3 a t :— a; propagatc(pareni(g t , Z £ , a t )) 

.4 if ((g, Z, a) ^ (q , Z , a )) 

,5 propagate(parenf.(g, Z, a)) 

.6 

.7 function maxcdgc(g, R, a): 

.8 let a R = Xx. if x £ R then — oo else ct(x) 

.9 let a g — Xx. if a:#c in g then c else — oo 

10 return (Xx. vnax(aji(x). a g (x))) 
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successors of the node are explored. The exploration terminates since Closure a 
has a finite range. 

When the exploration algorithm gets to a new node, it propagates the bounds 
from this node to all its predecessors. The goal of these propagations is to main- 
tain the following invariant. For every node n = (q, Z, a): 

1. if n is nontentative, then a is the maximum of the a s from all successor nodes 
(q s ,Z s ,a s ) of n (taking into account guards and resets as made precise in 
the function maxedge); 

2. if n is tentative with respect to (q 1 , Z' ', a'), then a is equal to a' . 

The result of propagation is analogous to the inequalities seen in the static 
guard analysis [2], however now applied to the zone graph, on-the-fly. Hence, the 
bounds associated to each node (q, Z, a) never exceed those that are computed 
by the static guard analysis. 

A delicate point about this procedure is handling of tentative nodes. When 
a node n is marked tentative, we have a = a'. However the value of a' may 
be updated when the tree is further explored. Thus each time we update the 
bounds function of a node, it is not only propagated upward in the tree but also 
to the nodes that are tentative with respect to n' . 

This algorithm terminates as the bound functions in each node never decrease 
and are bounded. From the invariants above, we get that in every node, a is a 
solution to the equations in [2] applied on ZG(A). 

It could seem that the algorithm will be forced to do a high number of 
propagations of bounds. The experiments reported in Section 5 show that the 
present very simple approach to bound propagation is good enough. Since we 
propagate the bounds as soon as they are modified, most of the time, the value 
of a does not change in line 30 of function propagate. In general, bounds are 
only propagated on very short distances in the tree, mostly along one single edge. 
For this reason we do not concentrate on optimizing the function propagate. 
In the implementation we use the presented function augmented with a minor 
"optimization" that avoids calculating maximum over all successors in line 30 
when it is not needed. 

Resolution phase Finally, as the bounds may have changed since n has been 
marked tentative, the function resolve checks for the consistency of tentative 
nodes. If Z C Closure a i (Z f ) is not true anymore, n needs to be explored. Hence 
it is viewed as a new node: the bounds are set to — oo and n is pushed on the 
stack for further consideration in the function main. Setting a to — oo is safe as 
a will be computed and propagated when n is explored. We perform also a small 
optimization and propagate this bound upward, thereby making some bounds 
decrease. 

The resolution phase may provide new nodes to be explored. The algorithm 
terminates when this is not the case, that is when all tentative nodes remain 
tentative. We can then conclude that no accepting state is reachable. 
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Model 


Our algorithm 


UPPAAL's algorithm 


UPPAAL 4.1.3 (-n4 -C -ol) 




nodes 


s. 


nodes 


s. 


nodes 


s. 


Ai 


2 


0.00 


10003 


0.07 


10003 


0.07 


A 2 


7 


0.00 


3999 


0.60 


2003 


0.01 


A 3 


3 


0.00 


10004 


0.37 


10004 


0.32 


CSMA/CD7 


5031 


0.32 


5923 


0.27 




T.O. 


CSMA/CD8 


16588 


1.36 


19017 


1.08 




T.O. 


CSMA/CD9 


54439 


6.01 


60783 


4.19 




T.O. 


FDDI10 


459 


0.02 


525 


0.06 


12049 


2.43 


FDDI20 


1719 


0.29 


2045 


0.78 




T.O. 


FDDI30 


3779 


1.29 


4565 


4.50 




T.O. 


Fischcr7 


7737 


0.42 


20021 


0.53 


18374 


0.35 


Fischer8 


25080 


1.55 


91506 


2.48 


85438 


1.53 


Fischer9 


81035 


5.90 


420627 


12.54 


398685 


8.95 


FischcrlO 




T.O. 




T.O. 


1827009 


53.44 



Table 1. Experimental results: number of visited nodes and running time with a timeout (T.O.) 
of 60 seconds. Experiments done on a MacBook with 2.4GHz Intel Core Duo processor and 2GB of 
memory running MacOS X 10.6.7. 



Theorem 4. An accepting state is reachable in ZG(A) iff the algorithm reaches 
a node with an accepting state and a non-empty zone. 

4.3 Handling LU approximations 

Recall that Extra~^ u (Z) approximation used two bounds: L x and U x for each 
clock x. In our algorithm we can easily propagate LU bounds instead of just 
maximal bounds. We can also replace the test Z C Closure a i(Z') by Z C 
Closure^ (Extra\, v , (Z')) , where L' and U' are the bounds calculated for (q 1 , Z') 
and a' x = max(L' x , U' x ) for every clock x. As discussed in Section 3.3, this test 
can be done efficiently too. The proof of correctness of the resulting algorithm 
is only slightly more complicated. 

5 Experimental results 

We have implemented the algorithm from Figure 1.1, and have tested it on clas- 
sical benchmarks. The results are presented in Table 1, along with a comparison 
to UPPAAL and our implementation of UPPAAL's core algorithm that uses the 
Extra\ v extrapolation [3] and computes bounds by static analysis [2]. Since we 
have not considered symmetry reduction [12] in our tool, we have not used it in 
UPPAAL either. 

The comparison to UPPAAL is not meaningful for the CSMA/CD and the 
FDDI protocols. Indeed, UPPAAL runs out of time even if we significantly in- 
crease the time allowed; switching to breadth-first search has not helped either. 
We suspect that this is due to the order in which UPPAAL takes the transitions 
in the automaton. For this reason in columns 4 and 5, we provide results from 
our own implementation of UPPAAL's algorithm that takes transitions in the 
same order as the implementation of our algorithm. Although RED also uses 
approximations, it is even more difficult to draw a meaningful comparison with 
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n==10&&y<=200 



Fig. 2. Examples explaining gains obtained with the algorithm. 

it, since it uses symbolic state representation unlike UPPAAL or our tool. Since 
this paper is about approximation methods, and not tool comparison, we leave 
more extensive comparisons as further work. 

The results show that our algorithm provides important gains. Analyzing 
the results more closely we could see that both the use of closure, and on-the-fly 
computation of bounds are important. In Fischer's protocol our algorithm visits 
much less nodes. In the FDDI protocol with n processes, the DBMs are rather 
big square matrices of order 3n + 2. Nevertheless our inclusion test based on 
Closure is significantly better in the running time. The CSMA/CD case shows 
that the cost of bounds propagation does not always counterbalance the gains. 
However the overhead is not very high either. We comment further on the results 
below. 

The first improvement comes from the computation of the maximal bounds 
used for the abstraction as demonstrated by the examples A% (Figure 2), Fischer 
and CSMA/CD that correspond to three different situations. In the A2 example, 
the transition that yields the big bound 10 on y in go is not reachable from any 
(go, Z), hence we just get the lower bound 20 on y in (go, Z), and a subsequent 
gain in performance. 

The automaton Ai in Figure 2 illustrates the gain on the CSMA/CD proto- 
col. The transition from go to gi is disabled as it must synchronize on letter a!. 
The static analysis algorithm [2] ignores this fact, hence it associates bound 10 4 
to y in go- Since our algorithm computes the bounds on-thc-ffy, y is associated 
the bound 10 in every node (go, Z). We observe that UPPAAL's algorithm visits 
10003 nodes on ZG{A\) whereas our algorithm only visits 2 nodes. The same 
situation occurs in the CSMA/CD example. However despite the improvement 
in the number of nodes (roughly 10%) the cost of computing the bounds impacts 
the running time negatively. 

The gains that we observe in the analysis of the Fischer's protocol are ex- 
plained by the automaton A3 in Figure 2. A3 has a bounded integer variable n 
that is initialized to 0. Hence, the transitions from go to g2, and from gi to g2, 
that check if n is equal to 10 are disabled. This is ignored by the static analysis 
algorithm that associates the bound 10 4 to clock y in g . Our algorithm however 
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associates the bound 10 to y in every node (qo, Z). We observe that UPPAAL's 
algorithm visits 10004 nodes whereas our algorithm only visits 3 nodes. A similar 
situation occurs in the Fischer's protocol. We include the last row to underline 
that our implementation is not as mature as UPPAAL. We strongly think that 
UPPAAL could benefit from methods presented here. 

The second kind of improvement comes from the Closure a abstraction that 
particularly improves the analysis of the Fischer's and the FDDI protocols. The 
situation observed on the FDDI protocol is explained in Figure 2. For the zone 
Z in the figure, by definition Extra^jj(Z) = Z, and in consequence Z' % Z. 
However, Z' C Closure a (Z). On FDDI and Fischer's protocols, our algorithm 
performs better due to the non-convex approximation. 

6 Conclusions 

We have proposed a new algorithm for checking reachability properties of timed 
automata. The algorithm has two sources of improvement that are quite indepen- 
dent: the use of the Closure a operator, and the computation of bound functions 
on-the-fly. 

Apart from immediate gains presented in Table 1, we think that our approach 
opens some new perspectives on analysis of timed systems. We show that the 
use of non-convex approximations can be efficient. We have used very simple 
approximations, but it may be well the case that there are more sophisticated 
approximations to be discovered. The structure of our algorithm permits to cal- 
culate bounding constants on the fly One should note that standard benchmarks 
are very well understood and very well modeled. In particular they have no "su- 
perfluous" constraints or clocks. However in not-so-clcan models coming from 
systems in practice one can expect the on-the-fly approach to be even more 
beneficial. 

There are numerous directions for further research. One of them is to find 
other approximation operators. Methods for constraint propagation also deserve 
a closer look. We believe that our approximations methods are compatible with 
partial order reductions [12,14]. We hope that the two techniques can benefit 
from each other. 
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A Proofs from Section 3 

We provide all the proofs from the section presenting the efficient inclusion 
testing algorithm. For convenience, we recall the statements of the facts that are 
proven together with their original numbering. They are preceded with black 
arrow for readability. 

►Proposition 1. A distance graph G has only positive cycles iff [G] ^ 0. 

Proof. If there is a valuation v € [G] then we replace every edge x y by 

x -=4 y where d = v(y) — v(x). We have d =4 xy c xy . Since every cycle in the new 
graph has value 0, every cycle in G is positive. 

For the other direction suppose that every cycle in G is positive. Let G be 
the canonical form of G. Clearly [G] = [G], i.e., the constraints defined by G 
and by G are equivalent. It is also evident that all the cycles in G are positive. 

We say that a variable x is fixed in G if in this graph we have edges =-4 x 

< — c m 

and x ~ — > for some constant c x . These edges mean that every valuation in 
[G] should assign c x to x. 
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If all the variables in G are fixed then the value of every cycle in G is 0, and 
the valuation assigning c x to x for every variable x is the unique valuation in 
[G]. Hence, [G], and in consequence [G] are not empty. 

Otherwise there is a variable, say y, that is not fixed in G. We will show how 
to fix it. Let us multiply all the constraints in G by 2. This means that we change 

-<c ~<2c 

each arrow x\ — > x 2 to x\ — > x 2 - Let us call the resulting graph H. Clearly H 
is in canonical form since G is. Moreover \H\ is not empty iff [G] is not empty. 
The gain of this transformation is that for our chosen variable y we have in H 

edges y and y ^> with c y0 + c 0y > 2. This means that there is a natural 
number d such that (<,d) < c 0y ) and (<, — d) < (=4 c y0 ). Let Hd be H with 

edges to and from y changed to -=-» y and y =—t 0, respectively. This is a 
distance graph where y is fixed. We need to show that there is no negative cycle 
in this graph. 

Suppose that there is a negative cycle in Hd- Clearly it has to pass through 
and y since there was no negative cycle in H. Suppose that it uses the edge 

-=4 y, and suppose that the next used edge is y ^> x. The cycle cannot come 
back to y before ending in since then we could construct a smaller negative 
cycle. Hence all the other edges in the cycle come from H. Since H is in the 
canonical form, a path from x to can be replaced by the edge from x to 0, 
and the value of the path will not increase. This means that our hypothetical 

negative cycle has the form -=4- y x 0. By canonicity of H we have 
(4 yx , c yx ) + (4x0, c x0 ) > (4 y o, c y0 ) ■ Putting these two facts together we get 

(<, 0) > (<, d) + (=4 yx ,c yx ) + (=^0, c x0 ) > {<,d) + (4yo,c y o) 

but this contradicts the choice of d which supposed that (<,e?) + (=^j,o,Cj,o) is 
positive. The proof when the hypothetical negative cycle passes through the edge 

y — > is analogous. 

Summarizing, starting from G that has no negative cycles we have con- 
structed a graph Hd that has no negative cycles, and has one more variable 
fixed. We also know that if [ifj is not empty then [G] is not empty. Repeatedly 
applying this construction we get a graph where all the variables are fixed and 
no cycle is negative. As we have seen above the semantics of such a graph is not 
empty. □ 

►Proposition 2. Let R be a region and let Z be a zone. The intersection RnZ 
is empty iff there exist variables x, y such that Z yx + R xy < (<, 0). 

Before proving the above proposition, we will start with some notions. Let R 
be a region wrt. a bound function a : X — > N. A variable x is bounded in R if a 
constraint x < c holds in R for some constant c; otherwise the variable is called 
unbounded in R. Observe that if X\, x 2 are bounded then we have 

xi — x 2 — c or c — 1 < x\ — x 2 < c in R. 

If y is unbounded then we have y > a y in R. 
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For two distance graphs G\, G 2 which are not necessarily in canonical form, 
we denote by min(Gi,G2) the distance graph where each edge has the weight 
equal to the minimum of the corresponding weights in G\ and G 2 - Even though 
this graph may be not in canonical form, it should be clear that it represents 
intersection of the two arguments, that is, [min(Gi, G2)] = [Gi] n [G2]; in other 
words, the valuations satisfying the constraints given by min(Gi, G2) are exactly 
those satisfying all the constraints from G\ as well as G2. 

We are now ready to examine the conditions when R n Z is empty. We start 
with the following simple lemma. 

Lemma 2. Let Gr be the distance graph of a region and let x\, X2 be two vari- 
ables bounded in R. For every distance graph G: if in min(G^, G) the weight of 
the edge X\ — > x 2 comes from G then X\ — > x 2 — > X\ is a negative cycle in 
min(G_R,G). 

Proof. Suppose that the edge Xi x 2 is as required by the assumption of the 
lemma. In R we can have cither x 2 — xi — d or d — 1 < x 2 — X\ < d. 

In the first case we have edges X\ x 2 and x 2 - — > X\ in Gr. Since the edge 
X\ — > x 2 comes from G we have c < d or c = d and =^ is the strict inequality. 
We get a negative cycle x\ -^4- x 2 — > x\. 

In the second case we have edges x 2 < — > X\ and x\ x 2 in R. Hence 
c < d and x\ x 2 < —^ 1 Xl gives a negative cycle. □ 



Proof of Proposition 2 Let Gr, Gz be the canonical distance graphs repre- 
senting the region R and the zone Z respectively. One direction is immediate: If 
min(G#, Gz) has a negative cycle then R n Z is empty by Proposition 1. 

For the other direction suppose that RC\Z is empty. Again, by Proposition 1 
the graph min(G^, Gz) has a negative cycle. An immediate case is when in this 
graph an edge between two variables bound in R comes from Gz- From Lemma 2 
we obtain a negative cycle on these two variables. So in what follows we suppose 
that in min(G^, Gz) all the edges between variables bounded in R come from 
Gr. Hence every negative cycle should contain an unbounded variable. 

Let y be a variable unbounded in R that is a part of the negative cycle. 
Consider y with its successor and its predecessor on the cycle: x — > y — ► x'. 
We will show that we can assume that x' is xo- Observe that in Gr every edge to 
y has value 00. So the weight of the edge x — > y is from Gz- If the weight of the 
outgoing edge is also from Gz then we could have eliminated y from the cycle by 
choosing x — > x' from Gz- Hence the weight of y — > x' comes from Gr. Since 
y is unbounded in R, the weight of this edge is d — a y , where d is the value on the 

edge ^4- x' in Gr. This is because we can rewrite inequation x' — y < d — a y 
as y — x' > a.y — d, and we know that a y is the smallest possible value for y, 
while d is the supremum on the possible values of x'. But then instead of the 
edge y — > x' we can take y — > xq — > x' in min(G^, Gz) which has smaller 

value since we have y < —^ > " X q in Gr. 
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If x is xo then we get a cycle of a required form since it contains only xq and 
y. Otherwise, let us more closely examine the whole negative cycle: 

x Q — > x H — > ... — > x lk — > x — > y — > x ■ 

By the reasoning from the previous paragraph, all of Xi t , . . . , Xi k can be assumed 
to be bounded in R. Otherwise we could get a cycle visiting xq twice and we 
could remove a part of it with one unbounded variable and still have a negative 
cycle. By our assumption, all the edges from and to these variables come from R. 
This means that the path from xo to x can be replaced by an edge xo — > x from 
R. So finally, the negative cycle has the required form xq — > x — > y — > xq 
with the edges xq — > x and y — > xq coming from Gr and the edge x — > y coming 
from Gz- Since Gr is canonical, we can reduce this cycle to x — > y — > x with 
x — > y coming from Gz and y —> x coming from Gr. □ 

A.l Efficient inclusion testing 

Given two zones Z and Z' and a bound function a, we would like to know if 
Z <2 Closure a (Z'): that is, does there exist a region R that intersects Z but does 
not intersect Z'l From Proposition 2 this reduces to asking if there exists a region 
R that intersects Z and two variables x,y such that Z' + R xy < (<,0). This 
brings us to look for the least value of R xy from among the regions R intersecting 
Z. We begin with the observation that every consistent instantiation of an edge 
in a canonical distance graph G gives a valuation satisfying the constraints of 
G. 

►Lemma 1. Let G be a distance graph in canonical form, with all cycles 

positive. Let x, y be two variables such that x —L^ y y and y — — >• x are edges 
in G. Let d € M such that d =4 xy c xy and — d =4 yx c yx . Then, there exists a 
valuation v e [G] such that v(y) — v(x) = d. 

Proof. Take d as in the assumption of the lemma. Let Gd be the distance graph 

where we have the edges x -=-^ y, and y - — > x for variables x and y and the 
rest of the edges come from G. We show that all cycles in Gd are positive. For 
contradiction, suppose there is a negative cycle N in Gd- Clearly, since G does 
not have negative cycle, N should contain the variables x and y. The value of the 
shortest path from x to y in G was given by (^ xy , c xy ). Therefore, the shortest 
path value from x to y in Gd is given by d and the shortest path value from 
y to x is — d. Hence the sum of the weights in N is negative would imply that 
the value of the cycle x — > y — > x is negative. However since, this is 0, such a 
negative cycle N cannot exist. The lemma follows from Proposition 1. □ 

Recall that for a zone Z, we denote by Z xy the weight of the edge x * y > y 
in the canonical distance graph representing Z. We denote by [v] the region to 
which v belongs to; [v} xy denotes the value (^. xy , r xy ) of the constraint y — x =4 xy 

r xy defining the region [v]. This is precisely the value of the edge x ' cy > y 
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in the canonical distance graph representing the region [v] . We are interested in 
finding the least value of [v] xy from among the valuations v € Z. Lemmas 3 and 
4 describe this least value of [v] xy for different combinations of x and y. 

For a weight (=4,c) we define — (=^,c) as (=4,— c). We now define a ceiling 
function ["•] for weights. 

Definition 1. For a real c, let [~c] denote the smallest integer that is greater 
than or equal to c. We define the ceiling function \(=4,c)] for a weight (=4,c) 
depending on whether =4 equals < or <, as follows: 



Lemma 3. Let Z be a non-empty zone and let x be a variable different from 
x . Then, from among the regions R that intersect Z: 

— the least value of R 0x is given by 



— the least value of R x0 is given by max{|~— Z 0x ~\ , (<, —a x )}. 

Proof. Let Z 0x = (^ 0x ,c ax ) and Z x0 = (=4 x0 ,c x0 ). 

For the least value of Ro x , first note that if Z x o < (<, — a x ) then all valuations 
»eZ have v x > a x and by definition [v] 0x — (<, oo) for such valuations. If not, 
we know that for all valuations — v x =4 x q c x q, that is, v x )? x o —c x q. If =4 x q is 
<, then from Lemma 1 there exists a valuation with v x = —c x o and this is the 
minimum value that can be attained. When =4 xn is <, then we can find a positive 
e < 1 such that c x q — e ^> x q c x q and — c x q + e ^q x cq x . From Lemma 1, there 
exists a valuation with v x = —c x o + e for which [v]o x = (<, — c x0 + 1). Since 
is a strict <, this is the minimum value for R 0x . This gives that the minimum 
value is \—Z x q~\ . 

Now we look at the minimum value for R x q. If (^o Xj cq x ) < (<, a x ), then all 
valuations v have v x < a x and by an argument similar to above, the minimum 
value of R x o would be given by \—Zq x ~\. Since (^q Xi cq x ) < (<,a x ), we have 
{^ 0x ,-c 0x ) > (<,-a x ) > (<,-a x ). If (^ 0x ,c 0x ) > (<,a x ), then from Lemma 
1, there are valuations in Z with v x > a x and for these valuations, [v] x0 = (< 
, — a x ). In this case the minimum value is given by (<, — a x ). Since (=^ox> c 0x) > 
(<,a x ), we have (4ox,-cq x ) < {<,-a x ) and so \-Z 0x ] < (<,-a x ). In each 
case, observe that we get max{|~— Z 0x ] , (<, —a x )} as the minimum value. □ 




(<,c) if c is an integer 
(<, [c]) otherwise 




(<, c +1) if c is an integer 
(<, |~c|) otherwise 



(<,oo) if Z x0 < (<,-a x ) 
[— Z x0 ~\ otherwise 
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Lemma 4. Let Z be a non-empty zone and let x,y be variables none of them 
equal to x - Then, from among the regions R that intersect Z, the least value of 
R xy is given by 



Proof. Let G be the canonical distance graph representing the zone Z. We denote 
the weight of an edge i —¥ j in G by cy). Recall that this means Zij = (=<!jj 
,Cij). For clarity, for a valuation v, we write v x for v(x). 

We are interested in computing the smallest value of the y—x constraint defin- 
ing a region belonging to Closure a (Z), that is, we need to find minj^J^j, | v G Z}. 
Call this p. By definition of regions, we have for a valuation v: 



We now consider the first of the two cases from the statement of the lemma. 
Namely, Z v q < (<,—a y ). This means that — v y =4 y o c v q and c y o < — ct y ; 
moreover ^ y0 is the strict inequality if c y0 = —ct y . In consequence, all valuations 
»£Z, satisfy v y > a y . Whence (3 — (<, oo). 

We now consider the case when Z y o > (<,—a y ). Let G' be the graph in 
which the edge — > y has weight min{(<,a y ), (^oy,co y )} and the rest of the 
edges are the same as that of G. This graph G' represents the valuations of Z 
that have v y < a y : [G'J — {v e Z \ v y < a y }. We show that this set is not 
empty. For this we check that G' does not have negative cycles. Since G does 
not have negative cycles, every negative cycle in G' should include the newly 
modified edge — > y. Note that the shortest path value from y to does not 
change due to this modified edge. So the only possible negative cycle in G' is 
— > y — > 0. But then we are considering the case when Z y0 > (<, — a y ), and so 
Z y o+{<, ct y ) > (<, 0). Hence this cycle cannot be negative either. In consequence 
all the cycles in G' are positive and [G'J is not empty. 

To find (3, it is sufficient to consider only the valuations in [G'J. As seen 
from Equation 2, among the valuations in [G'J, we need to differentiate between 
those with v x < a x and the ones with v x > a x . We proceed as follows. We first 
compute minjfwjjry | v e [G'J and v x < a x }. Call this fi\. Next, we compute 
min{[t)] a;y | v e [G'J and v x > a x } and set this as f3 2 - Our required value j3 
would then equal min{/3i, ^2}- 

To compute f3\, consider the following distance graph G[ which is obtained 
from G' by just changing the edge — >■ x to min{(<, a x ), (^q x , co x )} and keeping 
the remaining edges the same as in G'. The set of valuations [[G'J equals {v e 
[G'J I v x < a x }. If [Gy = 0, we set /?i to (<,oo) and proceed to calculate 
/3 2 . If not, we see that from Equation 2, for every v G [G^J, [^]xy is given by 
\(<,v y — v x )~\. Let (^i,wi) be the shortest path from y to x in the graph G[. 
Then, we have for all v e [GJ, v x — v y =4i w\, that is, v y — v x )pi —w\. If =^1 is 




(<, OO) if Vy > OLy 

[v] xy = < [(<, Vy - v x )] if v y < a y and v x < a : 
k (<, \v y ] - a x ) if v y < a y and v x > a, 



•X 



X 



(2) 
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<, then the least value of [v] xy would be (<,— w\) and if is <, one can see 
that the least value of [v] xy is (<, — w\ + 1). This shows that f3\ = \(=4i, — wi)~\ . 
It now remains to calculate (^i,u>i). 

Recall that G' x has the same edges as in G except possibly different edges 
— > x and — > y. If the shortest path from y to x has changed in G[, then clearly 
it should be due to one of the above two edges. However note that the edge — >• y 
cannot belong to the shortest path from y to x since it would contain a cycle 
y— »...0— >y— >...a; that can be removed to give shorter path. Therefore, 
only the edge — > x can potentially yield a shorter path: y — > . . . —5- — > x. 
However, the shortest path from y to in Gi cannot change due to the added 
edges since that would form a cycle with and we know that all cycles in Gi 
are positive. Therefore the shortest path from y to is the direct edge y — > 0, 
and the shortest path from y to x is the minimum of the direct edge y — > x and 
the path y -> -> x. We get: (=^i,ioi) = min{(=<; !/x , c yx ), (=^0, c y0 ) + (<,a x )} 
which equals mm{Z yX7 Z y0 + (<, a x )}. Finally, from the argument in the above 
two paragraphs, we get: 



f(<,oo) if [G'J =0 

Pi = < \-Z yx ] if [G'J ^ and Z yx < Z y0 + (<, a x ) (3) 

[ T-^ol + (<, -a,) if [G'J ^ and Z a:c > Z y0 + (<,a x ) 

We now proceed to compute /?2 = minj^J^y | w e [G"| and v x > a x }. Let 
G' 2 be the graph which is obtained from G' by modifying the edge x — > to 
min{Z x0 , (<, — o^)} and keeping the rest of the edges the same as in G' . Clearly 
[G' 2 ] = min{ W e [G'J | v x > a x }. 

Again, if [GJ,] is empty, we set f3 2 to (<,oo). Otherwise, from Equation 2, 
for each valuation v G [Gy, the value of is given by (<, \v y ~\ — a x ). For the 
minimum value, we need the least value of v y from v € [Gy. Let (^2, ^2) be the 
shortest path from y to in G' 2 - Then, since — v y =4 2 w 2 , the least value of \v y ~] 
would be — W2 if =^2=< and equal to [—102] if =^2=< and (3 2 would respectively 
be (<,— w 2 — a x ) or (<, — w 2 + 1 — a x ). It now remains to calculate (=^2,^2). 

Recall that G' 2 is G with — > y and x — > modified. The shortest path from y 
to cannot include the edge —> y since it would need to contain a cycle, for the 
same reasons as in the fi\ case. So we get (=^2,1^2) = mm{Z y0} Z yx + (<, — a x )}. 
If Z y0 < Z yx + (<,—a x ), then we take (=^2,^2) as Z y0} otherwise we take it to 
be Z yx + (<,—a x ). So, we get (3 2 as the following: 



(<,oo) 

-Z yx + (<, 1) 
J-Z y o] +(<,-a x ) 



if [G'J = 
if [G'J ^ and Z,, 
if [G'J + and Z y0 < Z yx 



y o > Z yx + (<, 



a x ) 
+ (<,-a x ) 



(4) 



However, we would like to write (i 2 in terms of the cases used for /3i in Equation 
3 so that we can write /3, which equals min{/3i, f3 2 }, conveniently. 

Let tpi be the inequation: Z yx < Z y o + (<, a x ). From Equation 3, note that j3\ 
has been classified according to tp\ and -"Vi when [GiJ is not empty. Similarly, 
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let ip2 be the inequation: Z y o > Z yx + (<, — a x ). From Equation 4 we see that 
/?2 has been classified in terms of tp2 and -*ip2 when [Gy is not empty. Notice 
the subtle difference between ipi and ip2 m the weight component involving a x : 
in the former the inequality associated with a x is < and in the latter it is <. 
This necessitates a bit more of analysis before we can write 02 in terms of ipi 
and ->ip i. 

Suppose ipi is true. So we have (=4 yx , c yx ) < (^yO,c y o + a x ). This implies: 
c yx < c y o + a x . Therefore, c y0 > c yx - a x . When c y0 > c yx — a x , ip 2 is clearly 
true. For the case when c y o = c yx — a x , note that in ip2 the right hand side is 
always of the form (<, c yx — a x ), irrespective of the inequality in Z yx and so yet 
again, ip2 is true. We have thus shown that ipi implies ip2- 

Suppose ->ip! is true. We have (=4 yx ,Cy X ) > {=4 y o,c y0 + a x ). If c yx > c yQ + a x , 
then clearly c y o < c yx — a x implying that ->ip2 holds. If c yx — c y o + a x , then we 
need to have =4 yx =< and =^j,o=<- Although ~^ip 2 does not hold now, we can safely 
take $2 to be \—Z y o] + (<, — a x ) as its value is in fact equal to —Z yx + (<, 1) in 
this case. Summarizing the above two paragraphs, we can rewrite /?2 as follows: 



We are now in a position to determine f3 as min{/?i, /^j. Recall that we are 
in the case where Z ya < (<,—a y ) and we have established that [G'J is non- 
empty. Now since [G'J = [G'J U [Gy by construction, both of them cannot be 
simultaneously empty. Hence from Equations 3 and 5, we get /3, the min{/3i, /3 2 } 
as: 



There remains one last reasoning. To prove the lemma, we need to show 
that f3 = max{[~— Z yx ], \—Z y0 ~\ + (<, — a x )}. For this it is enough to show the 
following two implications: 



We prove only the first implication. The second follows in a similar fashion. Let 
us consider the notation (^. yxi c yx ) and (=4 y o,c y o) for Z yx and Z y0 respectively. 
So we have: 





(6) 



Z yx < Z y0 + (<,a x ) => \-Z yx ] > \-Z y0 \ + (<,-a x ) 
Z yx > Z y0 + (<, a x ) => \-Z yx \ < \-Z y o \ + (<, -a x ) 



(^■yx,C yx ) < (^ y 0, Cyo) + (<j Oi x ) 
^ (^yx; Cyx) — {^4y0: c y0 ~t~ a s) 
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If the constant c yx < c v q + a x , then — c yx > —c y o — a x and we clearly get that 
\-Z yx \ > \-Z y o] + (<, -a x ). If the constant c yx = c yQ + a x and if =^ =<, 
then the required inequation is trivially true; if =4 y o=< 1 it implies that =4 yx =< 
too and clearly ["(<,— c yx )~\ equals [(<,— Cyo)~\ + (<> — <2 X ). □ 

► Theorem 2. Let Z, Z' be zones. Then, Z <£. Closure a (Z') iff there exist vari- 
ables x, y such that one of the following conditions hold: 

1. Z' 0x < Z 0x and Z' 0x < (a x ,<), or 

2. Z xQ < Z x0 and Z x0 > {-a x , <), or 

3- Z xQ > (-a x , <) and Z' xy < Z xy and Z' xy < (a y , <) + [Z x0 \ 

Proof. By definition of the Closure abstraction, Z <£. Closure a (Z') iff there exists 
a region R that intersects Z but does not intersect Z' . Therefore, from Proposi- 
tion 2, we need an R that intersects Z and satisfies Z' yx + R xy < (<, 0) for some 
variables x, y. This is equivalent to saying that for the least value of R xy that 
can be obtained from the zone Z, we have Z' yx +R xy < (0, <)• Depending on if x 
is Xq or y is x n or both x and y are not x we get the following three conditions 
that correspond to the three conditions given in the theorem. 

Case 1: Z' 0x + R x0 < (<,0) 

From Lemma 3, the minimum value of R x o from among the regions inter- 
secting Z is given by max{[~— Zq^\, (<,—a x )}. So we have: 

Z' 0x +m&x{\-Z 0x l(<,-a x )} < (<,0) 

=> Z' 0x + l-Z 0x ] < (<,0) and Z^ + (<,-a a ) < (<,0) 
^ < Z 0a; and ^ x < (<,a x ) 

This gives Condition 1 of the theorem. 

Case 2: Z' x0 + R 0x < (<,0) 

From Lemma 3, the minimum value of Ro x is (<,oo) if — Z x q > (<,a x ) 
and hence it cannot be part of a negative cycle. The edge Ro x can yield a 
negative cycle only when — Z x0 < (<,a x ), in which case the least value of 
Ro x is given by [~— Z x q\ . So we have Z' x0 + \—Z x0 ~\ < (<, 0) which translates 
to Z' xQ < Z x0 . Therefore, this case is equivalent to saying Z x0 > (<,—a x ) 
and Z' x0 < Z x0 which gives Condition 2 of the theorem. 

Case 3: Z' + R xy < (<,0) From Lemma 4, we get that the minimum value 
of the edge R xy is (<, oo) if —Z y o > (<, a y ). Similar to the case above, R xy 
cannot be part of a negative cycle if — Z y0 > (<,a y ). So we need to first 
check if — Z y0 < (<,%), that is, if Z y0 > (<,—a y ). Now, from Lemma 4, 
the minimum value of R xy is given by the max{|~— Z yx \ , \—Z y o \ — (<,a x )}. 
We get: 

Z' yx +msx{\-Z yx \, \-Z y0 ] - (<,a x )} < (<,0) 

=> Z' yx + \-Z yx \ < (<,0) and Z' yx + \-Z y0 ] - (<,a x ) < (<,0) 
=> Z' yx < Z yx and Z' yx + \-Z y0 ~\ - (<,-a x ) < (<,0) 
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Let us look at the second inequality: Z' yx + \—Z y o~\ — (<,— a x ) < (<,0). If 
Z y o is of the form (<, c) with c an integer, then — Z y o = (<, — c) and [~— Z y0 ] 
is the same: (<, — c). So we get: 

Z' yx + (<,-c) + (<,-a x ) < (<,0) 
^4 x + (<,-c-a x ) < (<,0) 
<S> ^ x < (<,c + aa; ) 

When Z y0 — (<, c), then \—Z y0 ] = (<, — c + 1) and we get: 

Kx + (<> -c + 1) + (<, -a,) < (<, 0) 
«-Z; x + (<,-c+l-a x ) < (<,0) 
^Z' yx < (<,c-l + a x ) 

This gives Condition 3 of the Theorem (symmetric in x and y). 

a 

A. 2 Handling LU-approximation 

Recall that for a zone Z, we denote by Z + the zone Extra\ u {Z). Also note that 
Z + is not necessarily in canonical form. 

Proposition 3. Let R be a region and Z be a zone. Then, RU Z + is empty iff 
there exist variables x, y such that Z+ x + R xy < (<, 0). 

Proof. Let Gr be the canonical graph representing R and let Gz be the canonical 
distance graph representing Z. Let G z + be the graph that representing Z + . By 
definition, G z + is obtained from Gz by changing some edges to (<, oo) and some 
edges incident on x n to (<,— U(x)). Also, note that G z + is not necessarily in 
canonical form. 

From Proposition f , Rii Z + is empty iff min(G_R, G z +) has a negative cycle. 
An easy case is when in min(Gfi, Gz+ ) a weight of an edge between two variables 
bound in R comes from G z +- Using Lemma 2 we get a negative cycle of the 
required form on these two variables. 

It remains to consider the opposite case. We need then to have an unbounded 
variable on the cycle. Let y be a variable unbounded in R that is part of the 
negative cycle. Consider y with its successor and its predecessor on the cycle: 
x — ► y — ► x'. Observe that in R every edge to y has value oo. So the weight of 
the edge x — > y is from Z + . By definition of Z + , it is also from Z. If also the 
weight of the outgoing edge were from Z then we could have obtained a shorter 
negative cycle by choosing x — > x' from Z. Hence the weight of y — 5- x' comes 
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from an edge modified in Z + or from R. fn the first case it is y < _^| i '- ) o, in the 

second it is y — > y 0. However, note that since U (y) < a y ,we have — a y < —U (y) 
and therefore, in mm(Gn, Gz+ ) we could consider the edge to come from R, that 

is y — > 0. 

The same analysis as in the proof of Proposition 2 we get that the shortest 
cycle of this kind should be of the form — ► y — ► or — > x — > y — ► 0; 
where y is an unbound variable and x is a bound variable. This cycle has the 
required form. □ 



Efficient inclusion testing for LU approximations Let Z, Z' be two zones 
and let Gz,Gz> be the respective distance graphs in canonical form. By ex- 
trapolating Gz' with respect to the Extra\ v operator gives a zone Z+ and a 
corresponding distance graph Gz+, which is not necessarily in canonical form. 
However, from Proposition 3, the check Z C Closure^ (Z') can be reduced to 
an edge by edge comparison with every region intersecting Z. Lemmas 3 and 4 
give the least value of the edge R xy for a region intersecting Z. Hence, similar 
to the case of Z C Closure a (Z'), it is enough to look at edges of Gz one by one 
to look at what regions we can possibly get. As a result we get an analogue of 
Theorem 2 with Z' replaced by Z'+. 

Theorem 5. Let Z, Z' be zones. Writing Z' + for Extra\ u {Z 1 ') we get that Z <£. 
Closure a (Z' + ) iff there exist variables x, y such that one of the following condi- 
tions hold: 

1. Z'^ x < Z 0x and Z' Q + < (a x ,<), or 

2. Z'^ < Z x0 and Z xn > (—a x , <), or 

3- Z x0 > (-a x , <) and Z' x + < Z xy and Z' x + < (a y , <) + Z x0 



B Proofs from Section 4 



B.l Correctness of the algorithm with Closure approximation 

Here we show the proof of 

Theorem 4 An accepting state is reachable in ZG(A) iff the algorithm 
reaches a node with an accepting state and a non-empty zone. 

The right-to-left direction follows by a straightforward induction on the 
length of the path. The left-to-right direction is shown using the following lem- 
mas. 

Let Post(S, t) stand for the set of all valuations of clocks reachable by t from 
valuations in S. We will need the following observation. 

Lemma 5 ([7]). For every zone Z, transition t and a bound function a: 

Post(Closure a {Z),t) C Closure a (Post(Z,t)). 
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Lemma 6. Suppose that algorithm concludes that the final state is not reachable. 
Consider the tree it has constructed. For every (q,Z) reachable from (qo, Zq) 
in ZG{A), there is a non tentative node (q,Z',a') in the tree, such that Z C 
Closure a i (Z'). 

Proof. The hypothesis is vacuously true for (q , Z ). Assume that the hypothesis 
is true for a node (q, Z) S ZG(A). We now prove that the lemma is true for every 
successor of (q, Z). 

From hypothesis, there exists a non tentative node (q, Zl,o) in the con- 
structed tree such that Z C Closure a (Z f) . Let t = (q, g, r, q') be a transition of 

A and let (q, Z) -4 (q\ Z') G ZG(A). 

The transition t is enabled from (q,Z L ,a) because Z C Closure a (Z L ), and, 
due to constraint propagation, for every clock x, a x is greater than the maximum 
constant it is compared to in the guard g. So we have 

(q,Z L ,a) -4 (q',Z' L ,a') 

in the constructed tree. 

Since Z C Closure a {Zjf), we have Post(Z,t) C Post{Closure a {Z[f),t), that 
is Z' C Post(Closure a (Z]f),t). From Lemma 5, Z' C Closure a (Post(ZL,t)), 
that is Z' C Closure a (Z' L ). We now need to check if we can replace a with a'. 
But Closure a (Z' L ) C Closure a >(Z' L ) since by definition of constant propagation 
<x x > a'(x) for all clocks x not reset by t, and for clocks x that are reset, Z' L 
entails x = 0, therefore irrespective of a or a' the regions that intersect with Z' L 
should satisfy x = 0. 

If n' = (q' , Z' L ,a') is non tentative, we are done and n' is the node in the 
constructed tree corresponding to {q 1 , Z 1 ). If n' is tentative then by definition we 
know that there exists a non tentative node (q',Z'l,a") such that a" — a' and 
Z' L C C7osure Q ,(Z£)- Thus Z' C Closure^ {Z'[). In this case {q',Z'[,a") is the 
node corresponding to (q' , Z'). 

□ 

B.2 Correctness of the algorithm with LU approximation 

The proof of the correctness of the algorithm using Z C Closure\ u {Z l ) test 
is similar to that using Z C Closure a {Z') test. We call it LU-algorithm for 
short. Since Extra^u is difficult to handle, we do a small detour through another 
approximation a^Lu(Z) introduced in [3]. We recall its definition here. 

Definition 2 (LU-preorder). Fix integers L and U. Let v and v' be two val- 
uations. Then, we say v' =4lu v if f or ea ch clock x: 

— either v'(x) — v(x), 

— or L(x) < v'(x) < v{x), 

— or U(x) < v(x) < v'{x). 

This LU-preorder can be extended to define abstractions of sets of valuations. 
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Definition 3 (a^LUi abstraction w.r.t ^lu)- Let W be a set of valuations. 
Then, 

Ulu{W) = {v | 3v' e W, v' 4lu y} 

It is shown in [3] that this is a sound, complete and finite abstraction, coarser 
than Closure. The soundness of this abstraction follows from the lemma given 
below. 

Lemma 7. Let q be a state of A and t = (q,g,R,qi) a transition. Assume that 
for a clock x: L(x) > c for all c such that x > c or x > c occurs in g; and 
U(x) > d for all d such that x < d or x < d occurs in g. Let v and v' be 

valuations such that v' =4lu v - Then, {q,v) {qi,vi) implies that there exists 

a delay 5' and a valuation v[ such that (q,v') —A- (qi,^) and v[ =4lu v \- 

The relation between a^Lu(Z) and Extra~^ u (Z) is summarized by the fol- 
lowing. 

Lemma 8. For all zones Z, 

Extra\u(Z) is a zone (7) 
Extra+ LU {Z) C a 4LU (Z) (8) 

We are now in a position to prove the correctness of LU-algorithm. 

Theorem 6. An accepting state is reachable in ZG{A) iff the LU-algorithm 
reaches a node with an accepting state and a non-empty zone. 

The right to left direction is straightforward, so we concentrate on the oppo- 
site direction. 

Lemma 9. For every zone Z, and transition t: 

Post{a^ LU (Z),t) C a^ LU {Post{Z,t)) 

Proof. Pick v\ e Post(a^Lu(Z),t). There exists a valuation v e a^Lu(Z) 
such that v A V\. By definition of a^m, there exists a valuation v' G Z 
such that v' v. From Lemma 7, v' A v[ such that v[ ^.lu v i- Hence 

v\ e a^Lu(Post(Z,t)). a 

The left to right implication of the theorem follows from the next lemma and 
from the following invariant on the nodes of the tree that is computed. For every 
node n = (q, Z, L, U): 

1. if n is nottentative, then L, U are respectively the maximum of the L s , U s 
from all successor nodes (q s , Z S ,L S ,U S ) of n (taking into account guards and 
clock resets, even if Z s is empty); 

2. if n is tentative with respect to (q 1 , Z' , L', U'), then L and U are equal to L' 
and V respectively. 
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Lemma 10. For every (q, Z) reachable in ZG(A), there exists a non tentative 
node (q, Zi, LiUi) in the tree constructed by the LU- algorithm, such that Z C 

Proof. The hypothesis is vacuously true for (go, Zq). Assume that the hypothesis 
is true for a node (q, Z) € ZG{A). We prove that the lemma is true for every 
successor of (g, Z). 

From hypothesis, there exists a node (q, Z\,Li,Ui) in the tree constructed by 
the LU-algorithm such that Z C a^ L v (Zi). Let t = (q,g, r, q') be a transition 

of A and let (q, Z) -4 (q 1 , Z') e ZG{A). There are two cases. 

(q,Zi) is not tentative Since Z C a^ LiUi (Zi), the transition t is enabled from 
a^ LiUi (Zi). From Lemma 7, t is enabled from Z\ too. Since Z C a^ L v {Zi), we 
have Post(Z,t) C Post(a 4LiUi (Z 1 ),t), that is Z' C Post(a 4LiUi (z\),t). From 
Lemma 9, Z' C a^ LiUi (Post(Zi 1 t)). We can take as Post(Zi,t) and then 
let (q',Z' 1 ,L' 1 U[) be the successor node in the tree computed by LU-algorithm. 
It remains to show that Z' C a^ L , , (Z[) is the node corresponding to (q\Z'). 
This follows because by definition Li(x) > L[(x), Ui(x) > U[(x) for all clocks 
x that are not reset by the transition t and for the clocks reset by t, Z[ entails 
x = 0. 

(q, Zi) is tentative If it is a tentative node, we know that there exists a non- 
tentative node (q, Z 2 , L2II2) in the tree constructed by the LU-algorithm such 
that Zi C Closure l 2 u 2 (Z 2), that is, Z\ C ai 2 [/ 2 (Z 2 ). The rest of the argument 
is the same as in the previous case with (q, Z 2 , L2U2) instead of (q, Z\,L\U\). 

□ 



